While some courts have found coverage for data breach claims under CGL policies, there should be little dispute that the best way to limit risk is to obtain a cyber policy rather than hoping for coverage under a CGL policy.

The decision in St. Paul Fire & Marine Ins. Co. v. Rossen Millennium, Inc., case no. 17-cv-540, provides the latest example of a court finding no coverage for a data breach under a commercial general liability insurance policy (“CGL”).  In Rosen Millennium, the Federal District Court for the Middle District of Florida issued an order on September 28, 2018, finding no coverage for a data breach under two CGL policies issued to defendant, Rosen Millennium (“Rosen”).

Rosen was providing data security services to Rosen Hotels & Resorts (“RHR”) when they discovered a potential breach of credit cards at a hotel in February of 2016.  The forensic investigator determined information related to the credit cards provided by hotel patrons was breached and RHR took steps to notify the patrons in March of 2016.

Rosen submitted a notice of claim to its insurer, St. Paul Fire & Marine (“Travelers”) in December of 2016, which stated RHR claimed the breach was the result of Rosen’s negligence. Travelers issued a reservation of rights denying coverage and requesting Rosen provide any information it believes may impact St. Paul’s coverage determination. Shortly thereafter, Travelers filed this declaratory seeking a determination of its duty to defend Millennium against RHR’s negligence claims.  Even though RHR did not file suit, they claimed a demand letter from RHR and Millennium’s Notice of Claim and created a controversy as to Traveler’s duty to defend Millennium under the CGL policies.

• The Allegations Against Rosen Did Not Constitute “Property Damage” Under the CGL Policies

In granting Traveler’s motion for summary judgment, the District Court first opined that the Notice of Claim (which contained only the relevant dates of the breach) and demand letter (which provided only that Rosen exposed private information to third parties) did not trigger Traveler’s defense obligation under the policy.  In particular, the District Court found these documents “make no mention of, let alone a claim for, property damage or the costs incurred from complying with notification statutes.”  Consequently, the District Court found Rosen’s claims for coverage not ripe and held Travelers had no “duty to defend a hypothetical claim.”

• The Allegations Against Rosen Did Not Constitute “Personal Injury” Under the CGL Policies

The District also rejected Rosen’s assertion that RHR’s allegations constituted “personal injury” as that term is defined under the CGL Policies.  In particular, the CGL Policies defined personal injury as “injury, other than bodily injury or advertising injury, that’s caused by a personal injury offense.”  And, the CGL policies defined “personal injury offense” as “[m]aking known to any person or organization covered material that violates a person’s right of privacy.” The central question in the District Court’s analysis is whether the material, or personal information, was “made known” by Rosen and, therefore, constitutes a personal injury offense.  Both parties agreed “making known” “is synonymous with ‘publication.’”

In addressing this question, Travelers argued that the allegations against Rosen do not constitute publication because “third-party data breaches are not covered under” CGL policies. That is, there is no coverage because the alleged injuries do not result from Rosen’s “business activities but rather the actions of third parties.”  In other words, there is no coverage for these claims because, if there was a publication, the publication was not done by the insured, Rosen.

This decision serves as another reminder that only a sliver of the data breach cases even arguably trigger coverage under a CGL policy. On the other hand, the insurance marketplace has solved the problem Rosen faced in this matter by offering cyber insurance policies that are specifically designed to provide cyber coverage.

Please contact Todd M. Rowe (trowe@tresslerllp.com) for additional questions or for a copy of this decision.

The post Another Court Finds No Coverage Under CGL Insurance Policy for Data Breach appeared first on Privacy Risk Report.

Discussions on privacy laws have taken front and center in recent weeks as European Union (EU) member states begin enforcing the General Data Protection Regulation (“GDPR”) on May 25, 2018.  As we have been discussing for a while, there is confusion as data collectors try to figure out the impact of this legislation.  There is no question that large, multi-national corporations will have to comply and many of these corporations are already in compliance.  However, with this deadline just around the corner, smaller companies that do not actively target EU residents are struggling with how this legislation impacts them.

Until all these laws are harmonized, the safest route for smaller companies may be to comply with GDPR, state, federal, local and industry regulations as much as possible. While the GDPR deadline is looming, it is worthwhile for smaller data collectors to consider the following:

GDPR Overview

The GDPR website states this legislation “replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”  (A guide to the EU GDPR can be found here.)

Importantly, GDPR will apply to all data collectors holding the personal data of EU residents regardless of the location of the data collector.  The definition of personal data is broadened to the extent to include any information “that can be used to directly or indirectly identify the person.”  Therefore, under GDPR, this information can include “anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”

GDPR also imposes new obligations on how the data is to be handled and stored.  For example, EU residents will have a “right of access” that requires data collectors to provide specific details about how information is processed.  GDPR grants EU residents a right to have their personal data deleted or erased by a data collector upon their request. The penalties for non-compliance may total anywhere from 4% of the annual global turnover of the breaching data collector or €20 Million (whichever is greater).

Should We be Concerned About GDPR Regulations?

We have been getting questions from our clients about how GDPR may impact them.  The knee-jerk reaction from many American companies appears to be to ignore GDPR if their business is not focused on EU residents.  Admittedly, there are many questions concerning how GDPR regulations can be enforced on data collectors outside of the European Union. Of course, betting on the fact that the EU will not be able to broadly enforce these regulations is not the best strategy.

The consensus is that general marketing to customers that may include EU residents will not trigger an obligation under the GDPR.  Rather, it appears at this time, that EU residents will need to be directly targeted for GDPR to apply to data collectors outside the United States.  Commentators have provided the following analysis on this issue:

For example, a Dutch user who Googles and finds an English-language webpage written for U.S. consumers or B2B customers would not be covered under the GDPR. However, if the marketing is in the language of that country and there are references to EU users and customers, then the webpage would be considered targeted marketing and the GDPR will apply.

Accepting currency of that country and having a domain suffix — say a U.S. website that can be reached with a .nl  from the Netherlands — would certainly seal the case.

Even if GDPR compliance may not be a priority for smaller data collectors, it is still worthwhile at this time for data collectors to consider compliance for the following reasons:

– GDPR compliance is not costly. At this point, compliance may be adding a few new disclosures to their website.

– GDPR compliance has a positive impact for customers that trust you with their data. Even if large, multi-national corporations have the most at stake, working toward GDPR compliance will only make data safer.  Keeping data safe may result in more business and cutting losses related to a cyber incident.

– GDPR compliance puts you ahead of the pack. There is no doubt that the GDPR regulations are the most-strict and punitive we have seen to date.  However, GDPR compliance is only going to help data collectors comply with state, federal and industry standards that they may already be required to follow.  Further, if the GDPR is successful, data collectors can be certain the U.S. will adopt similar standards.

The Initial, Practical Approach To GDPR Compliance

Now that it is clear that GDPR compliance may be a concern even for data collectors that are not necessarily targeting EU residents, a discussion as to the potential for liability can be guided by the following points:

1. Data Inventory. Data collectors need to first inventory the information and data that is being collected. A website that collects names and emails of visitors may gather EU resident’s data occasionally, but may not target the European Union for business.  A data collector cannot thoroughly access liability without taking stock of the origin of the collected data.
2. Consent? While it is still early in the process of GDPR compliance, it is assumed that most data collectors will find there is a peripheral chance that data belonging to an EU resident will be collected.  This is the proper time to determine whether consent should be obtained from all individuals providing any data or information.  Consent does not have to be an elaborate policy that no one would want to read (we are looking at you Apple).  Rather, consent can be obtained through clear language without legalese.  From a practical standpoint, data collectors may want to use a website such as SecurePrivacy.AI, which has recently begun offering a free tool that scans websites for GDPR compliance
3. Data/Privacy Officer. Reviewing GDPR compliance also provides an opportunity to consider whether a data/privacy officer should be appointed. This person will be responsible for handling data and information retention issues and would be a point of contact for anyone worried about how their data was gathered, used or retained.

The issues concerning GDPR are not new.  Data collectors have been struggling with compliance with federal, state, local and industry data collection requirements for years.  For example, an employer in Chicago, Illinois may hold information for its employees that are residents of Illinois, Wisconsin or Indiana.  This employer may have been trying to harmonize privacy regulations for years at this point.  Consequently, data collectors should use GDPR as another opportunity to access the safeguards they have in place to protect data.

The post Tick Tock: A GDPR Primer To Meet The Deadline Next Week appeared first on Privacy Risk Report.

For many years, governmental bodies and some commercial companies have had a responsibility to provide information conveniently to the public.  Specifically, under Open Records Acts, Freedom of Information Action requests and other similar requirements, many governmental bodies have to provide sensitive information to the public.  However, over the last few years, these same governmental bodies and commercial companies have also started to face additional requirements to adopt cyber security safety measures to protect data.  It is not difficult to see how these various requirements may become competing interests that cause confusion.  Therefore, we are starting to see new methods to address the need to provide information to the public in a convenient format while properly securing information.

One recent example of the need to strike a balance between providing information and safeguarding information is seen in Taylor v. School Administrative Unit #55, 2017 WL 4172944 (September 21, 2017), when the New Hampshire Supreme Court found providing information on a thumb drive, rather than through email, was acceptable given the cyber security concerns in protecting that information.

On May 12, 2016, the School Administrative Unit #55 (“School District”) voted to go into a nonpublic session to discuss the superintendent’s evaluation and “emergency functions.”  The School District voted to seal the minutes while in the nonpublic session.  The following month, the plaintiff, David Taylor, requested the superintendant’s office send him the minutes of the May 12, 2016 nonpublic session. Taylor was told the minutes could not be provided because they were sealed.  In response to a second email sent by Taylor, the superintendent’s office denied the request based on the School District’s “Right-To-Know” procedure which allowed records to only be provided  to a member of the public that brings a sealed thumb drive (or purchases a thumb drive directly from the School District) for the records to be downloaded.

By August of 2016,  Taylor had filed a complaint initiating this lawsuit based on allegations that the School District had violated New Hampshire law by voting in a closed session to seal the minutes of the nonpublic meeting and “refusing to forward to him, by email, the records he requested.” Taylor sought a declaration that the School District’s policy requiring information to be downloaded on a thumb drive violated New Hampshire and an order requiring the records be transferred via email.

The School District argued a number of “cyber security concerns” validated its procedure for using thumb drives rather than transferring the information through email. In agreeing with the School District, the New Hampshire Supreme Court held “we find valid the [School District’s] concern that responding to records requests by e-mail ‘would introduce unreliability into the process because sometimes e-mails are too big to be received, and there is no way for the [School District] to confirm receipt of e-mails it sends.” The Supreme Court was further concerned over the potential for mistakes once the School District started sending a number of responses to “Right-To-Know” requests via email.  Specifically, the Supreme Court agreed with the trial court’s finding that “while plaintiff may be correct that the simple forwarding of one email poses a very small cyber security risk, the greater potential risk comes from repeated email exchanges with multiple parties making Right-To-Know-Requests.”  Further, the Supreme Court held that the thumb drive policy did not necessarily diminish the use of records provided on thumb drives and “serves the governmental interest of protecting public bodies’ and agencies’ information technology systems…”

Governmental bodies have to walk a thin line between the need to make information available to the public and the need to have cyber security safeguards in place to protect the public. Here, the School District was required to provide access to information, but it also had a fiduciary duty to protect private information.  The School District’s agreement to provide the requested information on a thumb drive provides another example of how entities can use all available technology to overcome cyber security concerns.  While downloading data to a thumb drive may not be the most convenient method to provide this information, it allowed the School District to meet is fiduciary obligation to protect information.

The post The Line Between Obligations To Disclose Information And Obligations To Protect Private Information appeared first on Privacy Risk Report.

Many litigants are struggling with how to fit the “square peg” of cyber security claims into the “round hole” of law that may have been around for a number of decades.  One recent example was seen on June 27, 2017, when the United States District Court for the Central District of California dismissed a case entitled Casillas v. Berkshire Hathaway Homestate Companies, et al., 15-04763, 2017 WL 2813145 (June 27, 2017). In Casillas, the plaintiffs alleged two insurance investigators hacked an online database created by HQSU Sign Up Services, Inc. (“HQSU”) which stored workers’ compensation litigation files.  In serving as an “administrative services” contractor to various workers’ compensation attorneys, HQSU stored everything from “personal data” (including the client’s full name, Social Security Number, birth date, home address, legal status, driver’s license information, and salary information) to the attorneys’ communications with their clients and personal notes about the various cases. In particular, the plaintiffs allege that over the course of two years, the investigators accessed and downloaded over 30,000 workers’ compensation files.  The complaint further alleges the hackers took this information to provide the insurance companies with “a counsel’s advantage” in pending litigation and to “intimidate and force concessions” from various plaintiffs.

The Casillas Court closely analyzed what is necessary to bring a viable cause of action under 18 U.S.C. § 2701(a)(1), the Stored Communications Act. This Act was designed decades ago to “protect against the unauthorized interception” of “stored wire and electronic communications and transactional records.” The Act creates a private right of action against anyone who:

(1)       “intentionally accesses without authorization”

(2)       a “facility through which an electronic communication service is provided” and

(3)       “thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage.

However, before finding the plaintiffs’ complaint should be dismissed, the Court analyzed what it refers to as the “technical distinction between “electronic communication services” and “remote computing services.” Specifically, in addressing this distinction, the Court held that “…though they aren’t mutually exclusive categories, the Act establishes ‘different standards of care” for different types of communication.’” The Court provides the following distinction between these two phrases:

• Electronic Communications Service: “Congress defined an ‘electronic communication service’ as ‘any service which provides to users thereof the ability to send or receive wire or electronic communications.’ Think email: ‘[C]ommunication by which private correspondence is … typed into a computer terminal, and then transmitted over telephone lines to a recipient computer operated by an electronic mail company.’”
• Remote Computing Service: “A ‘remote computing service,’ by contrast, is one that ‘provi[des] to the public [a] computer storage or processing service[ ] by means of an electronic communications system.’ Think off-site storage: ‘In the age of rapid computerization, … remote computer service companies have developed to provide sophisticated and convenient computing services to subscribers and customers from remote facilities.’”

Indeed, this importance of this distinction is seen firsthand as the portion of the Act which the plaintiffs sought relief under, 18 U.S.C. § 2701(a)(1), “applies only to the provision of electronic communication services, and therefore excludes the provision of remote computing services from its strictures.” The Casillas court found plaintiffs’ complaint was limited to allegations that their attorneys “used HQSU’s administrative services in a limited fashion—by ‘uploading and downloading documents’ to the online database and appending case-related ‘notes’ to those documents.” These allegations, the court opined, describe “remote computing service” which does not give rise to a private cause of action under the Act. In conclusion, the court found “it’s plain that the plaintiffs have mixed up their claims under the Stored Communications Act.

Litigants bringing claims related to cyber security, data breaches and privacy not only have to overcome significant hurdles to establish standing, but often have to work with law that was developed before the technology was developed that forms the basis for their claims.   Admittedly, it may be difficult to seek relief for damage caused by modern technology under laws that precede this technology by decades.  Even though the Casillas court acknowledges the distinction between “electronic communication services” and “remote computing services” may be “a bit dated,” the parties still must meet the requirements for a viable action under the Act.  This case demonstrates the complexity with cyber security and privacy claims and the need to retain counsel that has experience in this developing, highly-specialized area.

The post Square Pegs: Recent Case Shows Problems With Fitting Cyber Liability Claims Into Law That Is “A Bit Dated” appeared first on Privacy Risk Report.

The litigation arising out of the data breach at Schnuck’s Markets (“Schnuck’s) occurring from December of 2012 through March of 2013 is still providing us with insight as to how courts may treat data breach claims.  The latest development related to this breach was recently seen in Community Bank of Trenton v. Schnuck Markets, 2017 WL 1551330 (May 1, 2017), when the District Court for the Southern District of Illinois granted Schnuck’s motion to dismiss Trenton’s complaint.

Trenton, a bank that issued credit cards allegedly compromised in this data breach, filed its complaint seeking recovery for damages based on a theory that it would have instructed its customers to shop elsewhere or use cash or checks for purchases if Schnucks had been more upfront about the security of its data network.  Specifically, Trenton attempted to support its cause of action with allegations “that they were intended or third-party beneficiaries to the contracts between [Schnucks] and others in the card processing network because [Trenton] received an interchange fee or interest for processing cards.”　 Trenton’s complaint further alleged that unencrypted data “was potentially compromised for 2.4 million cards swiped at Schnucks’ stores from December 1, 2012 through March 30, 2013.　 The Complaint alleged Schnucks’ learned of the breach on March 14, 2013, but did not notify the public of the incident until March 30, 2013.　 Trenton claimed that during this time an estimated 340,000 additional cards may have been compromised (based on its calculations that 20,000 cards were being used each day).

In granting Schnucks’ motion to dismiss, the District Court first analyzed Trenton’s negligence claim brought under Missouri law.  Specifically, Trenton asserted Schnucks should be held liable under Missouri’s data breach notification law (Mo. Rev. Stat. § 407.500).  The District Court rejected Trenton’s argument finding “the data breach notification statute exclusively bestows the power to prosecute violations upon the Missouri Attorney General.”　 (“What is more, the statute does not contemplate a duty or remedies for anything other than a failure to notify.”)　 The District Court further rejected Trenton’s attempt to establish a private cause of action under Missouri’s breach notification laws by refusing to “read additional duties into a law carefully crafted by the legislature, particularly where the legislatures of other states have explicitly contemplated additional protections in legislation.”

After finding Trenton did not have a private cause of action based on Missouri’s breach notification laws, the District Court distinguished “out-of-circuit precedent” where courts have found defendants had a duty to safeguard data based on a business relationship.  (In re Home Depot, Inc. Customer Data Security Breach Litigation, 2016 WL 2897520 (N.D. Ga. 2016); Target Corp. Data Sec. Breach Litigation, 66 F. Supp.3d 1154 (Minn. D. Ct. 2014); and Sovereign Bank v. BJ’s Wholesale Club, Inc., 395 F. Supp.2d 183, 193-96 (M.D. Penn. 2005).  The District Court found these cases unpersuasive because the record in the Home Depot breach litigation suggest “Home Depot’s data security conduct…was egregious and intentional,” the Target Court relied on provisions that were unique to Minnesota law and the holding in BJ’s Wholesale Club “is frankly outdated.”

The holding in Schnuck’s provides clarity that many courts are not willing to find legislatures intended to create a private cause of action out of state breach notification laws. Rather, as pointed out by the Schnucks court, plaintiff’s may need to show a data breach resulted from the “egregious and intentional” conduct seen in the Home Depot breach litigation.  The Schnucks court distinguishes this case from the record in the Home Depot litigation where there was evidence showing Home Depot may have ignored warning signs of poor data security “and even went so far as to fire tech employees who tried to alert the company to the risks of the poor data security measures.”

The cyber security world has dramatically changed since the Home Depot breach and many data collectors have gained a better understanding of the importance of network security.  Therefore, there is less chance that a breach today would be handled in the same manner as the Home Depot breach.  Consequently, plaintiffs may have difficulty showing this level of intentional conduct giving rise to recent data breaches.

The post Schnucks Market Decision Discounts Argument That Breach Notification Law Gives Rise To Private Cause Of Action appeared first on Privacy Risk Report.

The Privacy Risk Report has previously reported on the necessity to safeguard personal information such as names, addresses, social security numbers and credit card information to avoid risk resulting from data breaches. The latest trend we are seeing now involves a push by state legislatures to enact new laws that also protect biometric data, such as the Illinois Biometric Information Privacy Act (BIPA).

“Biometrics” defines “the field of science relating to the identification of humans based upon unique biological traits, such as fingerprints, DNA, and retinas” and recently “has produced new ways of conducting commercial transactions.” In particular, the protection of biometrics is a growing concern as this technology is turning up in everything from watches that may collect health data, finger-scanners at grocery stores and gas stations to retina scanners for financial transactions. Not only is this technology is here to stay, but it is already involved in litigation across the country.

For example, in Vigil v. Take-Two Interactive Software, Inc., the U.S. District Court for the Southern District of New York found class action plaintiffs lacked standing to bring suit under BIPA for claims related to how their faces were used to create personalized avatars in a video game.

Illinois Biometric Information Privacy Act

The Illinois legislature enacted BIPA (740 Ill. Comp. Stat. 14/1 et seq.), “which sets forth disclosure, consent, and retention requirements for private entities that collect, store, and disseminate biometric data.”

Before reaching its decision to grant Take-Two’s motion to dismiss, the District Court provided the following exhaustive background on BIPA:

As the Illinois legislature observed, biometric data are by definition unique, and thus—unlike a credit card number—cannot realistically be changed if they are subject to identity theft. See 740 Ill. Comp. Stat. 14/5(c). The Illinois legislature was concerned that the failure of businesses to implement reasonable safeguards for such data would deter Illinois citizens from “partaking in biometric identifier-facilitated transactions” in the first place, and would thus discourage the proliferation of such transactions as a form of engaging in commerce. 740 Ill. Comp. Stat. 14/5(e). The BIPA represents the Illinois legislature’s judgment that the collection and storage of biometrics to facilitate financial transactions is not in-of-itself undesirable or impermissible; instead, the purpose of the BIPA is to ensure that, when an individual engages in a biometric-facilitated transaction, the private entity protects the individual’s biometric data, and does not use that data for an improper purpose, especially a purpose not contemplated by the underlying transaction. See 740 Ill. Comp. Stat. 14/5(a–g).

Under the BIPA, a “biometric identifier” is “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,” while “biometric information” is information based on “biometric identifiers.” 740 Ill. Comp. Stat. 14/10.

Take-Two’s Video Game — NBA 2K16

The defendant, Take-Two, collects and uses biometric data for its video games, including NBA 2K16. The plaintiffs allege that they used a feature in the video game “to scan their respective faces to create personalized virtual basketball players, exclusively for in-game play.” The plaintiffs did not allege the images of their faces were used for anything beyond use in their own games. The “MyPlayer” feature was specifically at issue, “which allows a gamer to create a ‘personalized basketball avatar’ based on a three-dimensional rendition of the gamer’s face.”

Plaintiffs’ Claims of BIPA Violations

Plaintiffs claimed that Take-Two’s violations of BIPA included the following:

• Take-Two did not publicly provide “a retention schedule or guidelines for permanently destroying biometric identifiers;”
• Take-Two failed to inform the plaintiffs in writing that their biometric information was being collected;
• Take-Two collected biometric information without obtaining a proper release from the plaintiffs;
• Take-Two disclosed and disseminated plaintiffs’ biometric information without adequate consent;
• Take-Two did not employ “industry-standard reasonable care;” and,
• Take-Two profited from plaintiffs’ biometric information.

Dismissal of Plaintiffs’ Complaint

Unconvinced by the plaintiffs’ arguments, the District Court granted Take-Two’s motion to dismiss the plaintiffs’ second amended complaint based on a finding that plaintiffs’ lacked standing to bring suit against Take-Two. As with many data storage cases, plaintiffs’ had to demonstrate they had standing to bring suit. In order to avoid Take-Two’s motion to dismiss, the plaintiffs attempted to support their claims with allegations of procedural violations of BIPA, without any allegations of additional harm in order to establish standing.

The District Court rejected the plaintiffs’ position because “[n]one of the plaintiffs’ allegations of procedural violations, on their own, demonstrate a material risk of harm to BIPA’s concrete data protection interest because there is no plausible allegation that there is a material risk that plaintiffs’ biometrics may be used in a way not contemplated by the underlying use of the MyPlayer feature.

Additionally, the District Court held the plaintiffs failed to establish that there was “an imminent risk of harm that Take-Two’s storage and dissemination of their facial scans could compromise the data protection interest of the BIPA.” The District Court held the allegations that Take-Two’s practices may have subjected plaintiffs’ facial scans to an “‘enhanced risk of harm’ of somehow falling into the ‘wrong hands’” was too speculative to demonstrate plaintiffs had standing to sue Take-Two.

The District Court also rejected the plaintiffs’ argument that their damages were more than merely “speculative and abstract” by arguing that “face scans are relatively immutable, and, unlike (for example) passwords, cannot be changed.”

Initial Impact of this Decision

One fundamental principle in each section of the District Court’s lengthy opinion is that the plaintiffs scan their own faces in order to create avatars for the video game. And, the plaintiffs failed to allege that the biometric information was used for any purpose other than what plaintiffs had consented. That being said, this will not be the last time a court will be called on to interpret BIPA or similar statutes across the country. It is only a matter of time before data collectors find other uses for biometric information.

The post Use of Biometric Data Enters the Courts appeared first on Privacy Risk Report.

To overcome his anxiety with flying, IOActive’s researcher/author, Ruben Santamarta, began “spending some flights hacking stuff.” In his December 20, 2016 blog post, “In Flight Hacking Systems,” Santamarta describes how he  tried to gain a better understanding of the In-Flight Entertainment Systems (IFE) manufactured by Panasonic Avionics and installed in major airline carriers such as Virgin, KLM and American Airlines. After learning how the IFE operates, other reports indicate Santamarta was able “to hijack in-flight displays to change information such as altitude and location, control cabin lighting and hack into the announcements systems.” Santamarta also claimed he could access the credit card information of frequent flyers’ information stored in the in-flight automatic payment system.

Santamarta’s hacking activities prompt the question of whether he could have hacked the aircraft controls using the IFE as “an attack vector.” Santamarta claims that, depending on the hacker’s abilities, it would be “totally feasible” to take over an aircraft’s controls using the IFE systems as an access point. Santamarta advises airlines to isolate or segregate systems controlling airplane from the IFE systems.

Santamarta’s blog post indicates that many commercial aircraft’s networks are divided into the following “four domains” based on the type of data they handle:  (1) passenger entertainment; (2) passenger owned devices;  (3) airline information services; and (4) aircraft control. Based on his findings, Santamarta believes the best solution to reduce the chances that hackers take control over an aircraft’s controls involves physically isolating these systems from each other; “this means that as long as there is a physical path that connects both domains, we can’t disregard the potential for attack.”

Santamarta concludes the blog post with the following advice, “the responsibility for security does not solely rests with an IFE manufacturer, an aircraft manufacturer or the fleet operator. Each plays an important role in assuring a secure environment.”

In its December 20, 2016 statement, Panasonic disagreed with Santamarta’s findings and has called them “inaccurate and misleading” and further claims the blog post “mixed hypothetical vulnerabilities with specifics about Panasonic’s systems to come up with its results.” Panasonic’s statement also rejects the portion of the report stating that access can be gained to credit card information. Panasonic further offered the reminder that hackers could be criminally charged for trying to access any system on an aircraft.

Regardless of whether Santamarta or Panasonic are correct about the security of IFE systems, Santamarta’s point that the various systems of the aircraft should be completely isolated from each other cannot be overlooked. While common sense tells us that we should not keep the crown jewels in the garage with the gardening tools, it is easy to abandon this common sense approach when it comes to cyber security. In the same way you don’t want the IFE systems providing “an attack vector” to get to an aircraft’s controls, our businesses and homes should not only try to completely avoid a cyber incident, but should limit the amount of damage if a cyber incident takes place.

The post First Class Hack: Researcher Claims Airplane In-Flight Entertainment Systems Give Path to Flight Controls appeared first on Privacy Risk Report.

In Camp’s Grocery, Inc. v. State Farm Fire & Cas. Co., 4:16-cv-00204 (October 25, 2016), the U.S. District Court for the Northern District of Alabama granted summary judgment to defendant State Farm and denied plaintiff Camp’s Grocery (Camp’s) cross-motion to establish coverage for a data breach incident under a first party property policy and Inland Marine endorsements.

Camp’s was sued in the underlying litigation when the computer systems at a grocery store it operated in Alabama were hacked and confidential customer data including credit card, debit card and check card information was compromised. The plaintiffs in the underlying lawsuit, three credit unions, alleged that Camp’s breach caused them to suffer damages related to their customers’ accounts, including costs to reissue credit cards, reimbursing customers for losses, lost interest and transaction fees, lost customers, diminished good will and administrative expenses. The credit unions claim Camp’s was liable for these damages because Camp’s failed “to provide adequate computer systems and employee training and/or maintain adequate encryption and intrusion detection and prevention systems.”

While the District Court addressed coverage under two principal sections of the property policy issued by State Farm, the decision is clear in stating that Camp’s argument focused on establishing coverage under two Inland Marine endorsements. Nevertheless, the District Court still addressed whether there was coverage under the first party property and liability sections of the Policy even though Camp’s only attached copies of the Inland Marine endorsements to its complaint.

No Coverage Under the First Party Property Sections of the State Farm Policy

The District Court held there was no coverage under Section I of the Policy entitled “Property.” The insuring clause of Section I stated that State Farm would “pay for accidental direct physical loss to…Covered Property,” which included “Buildings” and “Business Personal Property.” The Policy defined “Business Personal Property” as “Property, used in your business, that you own, lease from other or rent from others, or that is loaned to you,” in addition to “Property of others that is in your care, custody or control….”  However, the Policy further defined “Covered Property to expressly not include “electronic data.”  And, “Accident” was defined as not including “any defect, programming error, programming limitation, computer virus, malicious code, loss of ‘electronic data,’ loss of access, loss of use, loss of functionality or other condition within or involving ‘electronic data’ of any kind.”  Given this policy language, the District Court found there was no coverage for the underlying litigation under Section I.

No Coverage Under the Liability Sections of the State Farm Policy

Likewise, the District Court held there was no coverage under Section II of the Policy entitled “Liability.” The insuring clause of Section II stated that State Farm would pay those sums “the insured becomes legally obligated to pay as damages because of ‘bodily injury,’ ‘property damage,’ or ‘personal and advertising injury’ to which this insurance applies.” The District Court also noted that Section II of the Policy also contained the following provisions related to computers and electronic data:

First, the term “property damage” as used in Section II is limited to liability for harm to “tangible property,” which is defined not to include “electronic data.” And expressly excluded from liability coverage under Section II are “damages arising out of the loss of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”

Based on these provisions, the District Court found the liability section of the Policy was not triggered by the allegations in the underlying litigation.

No Coverage Under the Inland Marine Endorsements

Camp’s central argument was that it was entitled to coverage under two Inland Marine endorsements attached to the Policy entitled “Inland Marine Computer Property Form” and “Inland Marine Conditions.” The Insuring Agreement for the Computer Property Form provides that State Farm will pay for physical loss to “‘computer equipment,’ used in your business operations, that you own, lease from other, or that is loaned to you” and “removable data storage media used in your business operations to store ‘electronic data.’”

State Farm asserted it was entitled to summary judgment because the Computer Property Form is a “first party insuring agreement” and, therefore, does not provide for defense or indemnity against claims brought against Camp’s by a third party related to lost or compromised electronic data. In response, Camp’s argued that even if the Computer Property Form did not contain a defense or indemnity obligation, a provision found in Section II of the Policy (Liability) provides that State Farm assumed a duty to defend and indemnify Camp’s.  That is, Camp’s takes the position that the Inland Marine endorsements “expand the scope of liability insurance coverage” under Section II to require State Farm to provide a defense and indemnity for claims involving computers and electronic data.

In rejecting Camp’s argument, the District Court was persuaded by State Farm’s position that the liability provision in Section II of the Policy “is triggered where the insured becomes legally obligated to pay damages because of bodily injury, property damage or personal and advertising injury.” And, while Camp’s was not claiming the underlying litigation contained any allegations of bodily injury or personal and advertising injury, Camp’s did claim the underlying litigation sought damages for property damage when the credit unions claimed damages to replace credit and debit cards. The District Court rejected Camp’s argument on the basis that Section II of the Policy defines “property damage” as being limited to “tangible property” and the Policy is careful to state “electronic data is not tangible property.” The District Court found “the Credit Unions assert that Camp’s lax computer network security allowed the intangible electronic data contained on the cards to be compromised such that the magnetically encoded card numbers could no longer be used, causing purely economic loss flowing from the need to issue replacement cards with new electronic data.” Further, Section II contained an exclusion for “damages arising out of the loss of, loss of use of, corruption of, inability to access, or inability to manipulate electronic data.” Given these provisions the District Court found there was not coverage for the Credit Union’s claims.

The District Court additionally rejected any attempt by Camp’s to “selectively read[] the Policy in a piecemeal fashion, picking and choosing parts of different coverages that would preclude or exclude their application to the Credit Unions’ claims.”

This decision further demonstrates the need for cyber insurance and how traditional insurance may not offer protection against these emerging claims. Here, despite Camp’s efforts to establish coverage under the various provisions of its property policy, the District Court ultimately finds the various coverage parts to a first party insurance policy cannot be twisted into providing cyber coverage for data breach litigation.

The post Court Rejects Insured’s Attempt at “Selectively Reading” Property Policy to Cover Data Breach appeared first on Privacy Risk Report.

In 2014, P.F. Chang’s experienced a credit card breach involving a number of its restaurants that culminated in numerous lawsuits nationwide. The ensuing litigation related to this data breach provided significant insight into what would become the important issues in data breach litigation moving forward. For example, the 7th Circuit U.S. Court of Appeals held the class representatives’ allegations of fraudulent credit card charges, credit monitoring costs and potential identity theft were sufficient to establish standing to bring suit against P.F. Chang’s for this data breach.

The impact of P.F. Chang’s data breach on insurance coverage law is becoming apparent two years after the breach and as class action plaintiffs are beginning to prosecute their cases. For instance, on May 31, 2016, in P.F. Chang’s China Bistro, Inc. v. Federal Ins. Co., a federal District Court in Arizona issued an order granting Federal Insurance Company’s motion for summary judgment, finding there was no coverage under a cyber policy for P.F. Chang’s breach. The P.F. Chang’s court stated the central issue in its coverage determination as:  “…whether coverage exists under the insurance policy between Chang’s and Federal for the credit card association assessments that arose from the data breach Chang’s suffered….”

Prior to its analysis of the coverage issues, the order granting summary judgment provides the following background related to P.F. Chang’s claim under the Federal Policy:

• Federal issued a cyber policy to P.F. Chang’s, effective January 1, 2014, to January 1, 2015.
• P.F. Chang’s, as with many merchants, cannot process credit card transactions themselves and, therefore, used “Servicers” who process the transactions with banks that issue the credit cards (Issuers). P.F. Chang’s entered into an agreement with Bank of America (BoA) to process these transactions.
• Servicers such as BoA process these transactions and, in turn, must enter into agreements with credit card companies that obligate BoA and banks acting as Issuers to pay fees and assessments to credit card companies if there is a breach.
• Under P.F. Chang’s agreement with BoA, P.F. Chang’s agreed to reimburse BoA for any fees and assessments it was required to pay credit card companies for P.F. Chang’s breach.
• After the breach, Federal reimbursed P.F. Chang’s approximately $1.7 million for costs related to forensic investigations and defense of claims arising out of the breach.

BoA also sought nearly $2 million in fees and assessments from P.F. Chang’s for amounts it incurred from its agreements with the credit card companies pursuant to P.F. Chang’s reimbursement agreement with BoA. P.F. Chang’s reimbursed BoA and then sought to recover this amount from Federal under its cyber policy. P.F. Chang’s initiated this litigation when Federal denied coverage for these amounts. P.F. Chang’s sought coverage under both Insuring Clause A and Insuring Clause B of the cyber policy. The court granted Federal’s motion for summary judgment finding no coverage under either Insuring Clause based on the following reasoning:

• No Coverage Under Insuring Clause A: Under the Federal Policy, Insuring Clause A provided that, “[Federal] shall pay for Loss on behalf of an Insured on account of any Claim first made against such Insured . . . for Injury.” Injury is further defined under the cyber policy to include “Privacy Injury” which “means injury sustained or allegedly sustained by a Person because of actual or potential unauthorized access to such Person’s Record, or exceeding access to such Person’s Record.” The Federal Policy also defines “Record” as “any information concerning a natural person that is defined as: (i) private personal information; (ii) personally identifiable information…pursuant to any federal, state…statute or regulation,…where such information is held by an Insured Organization or on the Insured Organization’s behalf by a Third Party Service Provider” or “an organization’s non-public information that is…in an Insured’s or Third Party Service Provider’s care, custody, or control.” The court agreed with Federal’s argument on this point that P.F. Chang’s was not entitled to coverage under Insuring Clause A because BoA itself did not sustain a privacy injury because its records were not compromised during the data breach.
• There May Be Coverage Under Insuring Clause B: Under the Federal Policy, Insuring Clause B provides that “[Federal] shall pay Privacy Notification Expenses incurred by an Insured resulting from [Privacy] Injury.” The court agreed with P.F. Chang’s argument that it was entitled to coverage under this provision because of the amounts P.F. Chang’s paid Issuers to reissue bankcards and new account numbers. Even though these fees and assessments may have been incurred by BoA, the court found it persuasive that P.F. Chang’s was ultimately responsible to pay these amounts under its contracts with BoA.
• Policy Exclusions Bar Coverage: Even if there was coverage under Insuring Clause B, the court held two exclusions in the Federal Policy would bar coverage for any contractual obligations P.F. Chang’s assumed from a third party. Specifically, the court agreed with Federal’s argument that the fees and assessments P.F. Chang’s assumed in its contract with BoA were excluded from coverage.

As seen on prior occasions, the court’s coverage determination went back to basic coverage law. In the P.F. Chang’s decision, the court discusses its reliance on existing coverage law: “In reaching this decision, the court turned to cases analyzing commercial general liability insurance policies for guidance, because cybersecurity insurance policies are relatively new to the market but the fundamental principles are the same.”

It is important to note that Federal paid approximately $1.7 million for P.F. Chang’s damages related to forensic investigations and defense costs. These damages were not at issue under the cyber insurance policy. In short, the cyber policy worked exactly as it was intended to work when there was a data breach. While struggling with the more difficult question (whether the costs P.F. Chang’s became responsible for in its contract with BoA), the court went back to fundamental insurance concepts to find cyber coverage was barred by exclusions for liability assumed from a third party. Therefore, while this decision provides guidance on how courts may be expected to interpret the specific language of a cyber policy, it also demonstrates the importance of the existing body of law related to CGL coverage.

The post The Future Is Now: Court Finds No Coverage Under Cyber Policy for P.F. Chang’s Data Breach appeared first on Privacy Risk Report.

On May 16, 2016, the U.S. Supreme Court issued its opinion in Spokeo v. Robins, a highly-contested circuit court split over the question of how to establish standing in federal courts under Article III. In ruling for the data-gathering company, Spokeo, the Court established that while federal standing requires “injury in fact,” such injury must be both “particular and concrete.” In essence, the Spokeo decision may cause plaintiffs to think twice before filing a complaint based on nothing more than speculation of their damages.

While Spokeo did not involve data breach litigation, many commentators have already wondered if the Spokeo Court’s reasoning would be applied to data breach class actions.

The Spokeo decision potentially has far-reaching consequences as a number of plaintiffs in data breach cases have found establishing standing to be a difficult hurdle to litigating their cases in federal court. And, the impact of the Spokeo decision on some plaintiffs in data breach class action cases has already begun to show.

For example, on May 18, 2016, two days following the Spokeo decision, the U.S. District Court for the District of Maryland applied the “particular and concrete” test to dismiss a privacy class action in Kahn v. Children’s National Health System (CNHS). CNHS maintains private health care records and personal information for those to whom it provides treatment. In July 2014, hackers gained access to the accounts of such individuals, accessing information including names, addresses, birthdates, Social Security numbers and other private health care information. While Kahn – representative to a putative class action – brought claims pursuant to FRCA, she failed to allege any concrete injury. In its decision, the District Court applied the Spokeo test as follows:

“Article III standing requires concrete injury even in the context of a statutory violation.” Although Congress may “elevate the status of legally cognizable injuries that are concrete, de facto injuries that were previously inadequate in law, or a ‘bare procedural harm’ under federal statute which are ‘divorced from any concrete harm,’ would not satisfy the injury in-fact requirement.”

As seen in the Kahn decision, the impact of Spokeo may be immediate and become a slight disincentive for some plaintiffs to file complaints without specific allegations to meet the threshold of “particularized and concrete.” Consequently, while the impact of Spokeo may be limited, it should initially cause a decline in the number of speculative data breach class action lawsuits filed and cause an increase in the number of data breach cases that may be dismissed via defendants’ motions to dismiss. The full impact of Spokeo will not be known until the 9th U.S. Circuit Court of Appeals has applied the test in the manner required by the U.S. Supreme Court.

Tressler LLP law clerk Spencer Lee contributed to this post.

The post Spokeo Decision Already Having “Concrete” Impact on Data Breach Class Action Litigation appeared first on Privacy Risk Report.